OpenSSL self-built certificate SSL + Apache

Source: Internet
Author: User
Tags install openssl pkcs12
OpenSSL self-built certificate SSL + Apache
I have prepared it. Well, the following is my note. For details, enter the author name: wingger.

In this article, we will test the certificate on Linux9 + apache2.0.52, tomcat5.5.6, j2se1.5, and openssl0.97.
The purpose of this article is to communicate. If any errors occur, please advise.
Reprinted, please indicate the source, and maintain the integrity of the article
Start installation now

First, you need to understand some basic concepts before installing

1. Certificates used by SSL can be self-generated or signed by a commercial ca such as Verisign or thawte.

2. Certificate concept: First, you must have a root certificate, and then use the root certificate to issue the server certificate and customer certificate. Generally, the server certificate and customer certificate are in a hierarchical relationship. The root certificate and server certificate must be installed in SSL for authentication.

Therefore, in this environment, you must have at least three certificates: Root Certificate, server certificate, and client certificate.
Before a certificate is generated, a private key is usually used to generate a certificate request with the private key, and then use the root certificate of the Certificate Server to issue the certificate.

3. certificate issuance problem: I recently found a lot of information about OpenSSL, basically only generate the root certificate and private key and server certificate requests, and did not actually implement the visa. I refer to some documents here. I use a ca. Sh provided by OpenSSL to sign the certificate, rather than sign. Sh in mod_ssl.

Using the OpenSSL syntax to generate a certificate has many restrictions, such as the Directory and key location. It is troublesome. I tried it for several days and finally gave up. If you are interested, refer to the OpenSSL manual.

Step 1: Install OpenSSL and Apache
Download openssl-0.9.7e.tar.gz (the latest version) to
2. Uninstall the old opensll Library

  1. # Rpm-e -- nodeps OpenSSL

Copy code

3. decompress the package:

  1. # Tar xzvf openssl-0.9.7e.tar.gz

Copy code

4. Enter the OpenSSL directory and install it. Use -- prefix to specify the OpenSSL installation directory.

  1. # Cd openssl-0.9.7e
  2. #./Config -- prefix =/usr/local/OpenSSL
  3. # Make
  4. # Make Test
  5. # Make install

Copy code

5. install Apache
Download httpd-2.0.52.tar.gz, the latest apacheversion, to
Decompress the package and go to the Apache directory. Install the required modules as needed. I have installed SSL, rewrite, and dynamic installation.

  1. # Tar zxvf httpd-2.0.52.tar.gz
  2. # Cd httpd-2.0.52
  3. #./Configure -- prefix = prefix -- enable-SSL -- enable-Rewrite -- enable-so -- With-SSL =/usr/local/OpenSSL
  4. # Make
  5. # Make install

Copy code

Step 2: visa
After OpenSSL is installed, there is a ca. Sh file under OpenSSL, which is used for visa,
To sign three certificates, and then use these three certificates to deploy the SSL server.

1. Create an SSL under/usr/local/Apache/CONF. CRT directory, set ca. copy the sh file to/usr/local/Apache/CONF/SSL. CRT/directory

  1. [Root @ win SSL] # cp/usr/local/OpenSSL/SSL/MISC/CA. sh/usr/local/Apache/CONF/SSL. CRT/CA. Sh

Copy code

2. Run ca. Sh-newca. It will find a private key and password file of the CA you want. If this file does not exist? Press enter to automatically create the file. Enter the password to protect the file. In the future, you will need a company information to make the ca. CRT file. At last, an additional one is added to the current directory. /democa directory .. /democa/private/cakey. PEM is the key file of CA ,. /democa/cacert. PEM is the CRT file of CA.

  1. [Root @ win SSL. CRT] #./CA. Sh-newca

Copy code

Enter the following information:

Quote: Country name (2 letter code) [GB]: CN
State or province name (full name) [Berkshire]: Fuji
Locality name (eg, city) [Newbury]: Fuzhou
Organization Name (eg, company) [My Company Ltd]: fjjm
Organizational unit name (eg, section) []: FD
Common name (eg, your name or your server's hostname) []: Win
Email Address []: WIN@WIN.COM

In this way, a CA server is created, with the private key cakey. pem of the root certificate and a root certificate cacert. pem. Now you can get the cacert. pem for your visa.

3. Sign the server certificate
Generate the server private key:

  1. [Root @ win SSL. CRT] # OpenSSL genrsa-des3-out server. Key 1024

Copy code

Generate server certificate request

  1. [Root @ win SSL. CRT] # OpenSSL req-New-key server. Key-out server. CSR

Copy code


  1. Country name (2 letter code) [GB]: CN
  2. State or province name (full name) [Berkshire]: Fuji
  3. Locality name (eg, city) [Newbury]: Fuzhou
  4. Organization Name (eg, company) [My Company Ltd]: fjjm
  5. Organizational unit name (eg, section) []: FD
  6. Common name (eg, your name or your server's hostname) []: Win
  7. Email Address []: WIN@WIN.COM
  8. Please enter the following 'extra 'attributes
  9. To be sent with your certificate request
  10. A challenge password []: Win
  11. An optional company name []: Wing

Copy code

Finally, convert the server. CRT file MV into newreq. Pem, and then use ca. Sh for a visa.

  1. [Root @ win SSL. CRT] # mv server. CSR newreq. pem
  2. [Root @ win SSL. CRT] #./CA. Sh-sign

Copy code

In this way, the server certificate newcert. PEM is generated.
Change newcert. pem to server. CRT.

  1. [Root @ win SSL. CRT] # mv newcert. pem server. CRT

Copy code

4. process the client:
Generate customer private key:

  1. [Root @ win SSL. CRT] # OpenSSL genrsa-des3-out client. Key 1024

Copy code


  1. [Root @ win SSL. CRT] # OpenSSL req-New-key client. Key-out client. CSR

Copy code


  1. [Root @ win SSL. CRT] # OpenSSL ca-in client. CSR-out client. CRT

Copy code

Convert certificate format to PKCS12 format

  1. [Root @ win SSL. CRT] # OpenSSL PKCS12-export-clcerts-in client. CRT-inkey client. Key-out client. pfx

Copy code

5. Three certificates and three private keys are available. One is the root certificate under democa, the server certificate under SSL. CRT, and the client certificate. And the root key under democa/private, the server key and customer key under SSL. CRT, and the certificate location and server key location under SSL. conf under Conf.

I created an SSL. CRT directory under conf and put all the keys and certificates here.

  1. # Cp democa/cacert. pem cacert. pem

Copy code

Copy a certificate and rename it ca. CRT.

  1. # Cp cacert. pem ca. CRT

Copy code

Step 3. Edit SSL. conf

  1. # Cd/usr/local/Apache/Conf

Copy code

Edit SSL. conf

  1. Specify the server certificate location
  2. Sslcertificatefile/usr/local/Apache/CONF/SSL. CRT/server. CRT
  3. Specify the server certificate Key location
  4. Sslcertificatekeyfile/usr/local/Apache/CONF/SSL. CRT/server. Key
  5. Certificate directory
  6. Sslcacertificatepath/usr/local/Apache/CONF/SSL. CRT
  7. Root Certificate location
  8. Sslcacertificatefile/usr/local/Apache/CONF/SSL. CRT/cacert. pem
  9. Enable client SSL requests
  10. Sslverifyclient require
  11. Sslverifydepth 1

Copy code

Start SSL

  1. /Usr/local/Apache/bin/apachectl startssl

Copy code

The password of server. Key is required.
So that a default SSL server and HTTP server are started,

Step 4. install and use the certificate
Run the ca. CRT root certificate and client. pfx client certificate generated just now to the client and install the client,
CA. CRT is installed to a trusted organization. Client. pfx is installed directly in Windows or in the personal certificate location, and then accessed by IP address http and HTTPS servers.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.